Hello

I have some trouble with an IPsec VPN setup for the road warrior case:

road -------- default gw ----- internet ----- VPN gw ---->
warrior

My problem occurs on the road warrior. I have the following addresses:
INTERNAL_ADDR: the internal address. The packets going out of the tunnel
at VPN gw should have this IP as the source address
LOCAL_ADDR: the road warrior external address.
REMOTE_ADDR: the VPN gw address
DEFAULT_GW: the default gw address 

Here is my setup, done after the phase 1 SA is established:

ifconfig lo0 alias ${INTERNAL_ADDR}
route delete default
route add ${REMOTE_ADDR} ${DEFAULT_GW}
route add default ${INTERNAL_ADDR}
echo "
spdadd ${INTERNAL_ADDR}/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;
spdadd 0.0.0.0/0 ${INTERNAL_ADDR}/32 any -P in ipsec
esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
"|setkey -c

At that time, sending a ping to the private server causes the phase 2 SA
to be established, and the ping works. 

But when I use telnet or nslookup on the road warrior, the traffic gets
dropped by the local machine. I added a few printf in the kernel and
discovered that for privilegied sockets, the source address is
${INTERNAL_ADDR}, but for unprivilegied sockets, it is ${LOCAL_ADDR}.
Because ${LOCAL_ADDR} does not match any SPD, packets get dropped.

Question: 
1) is it something normal to get a different default local address for
privilegied and unprivilegied sockets?
2) is there a way to influence the default local address? I'd like to
force all communications to use the internal address.
3) Is my setup wrong? How should it be done?  

-- 
Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.
manu@netbsd.org